Digital computer-based protected control networks are widely used at power and process industry plants around the world. Most of the newer protected control networks are capable of communicating over standard networks such as TCP/IP over Ethernet. A variety of standard and custom protocols are used over standard computer networks to communicate data to, and from, the protected control networks. Examples of standard protocols include OLE for Process Control (OPC) and Modbus/TCP. This makes it easier to communicate data between systems, but allows a potential channel for cyber-attacks on the protected control networks.
Traditionally the danger of cyber-attack has been mitigated by placing all of the protected control networks on one or more isolated control networks. This protects the protected control networks from many external attacks, but does not allow communication with the outside world. Communication from the control or monitoring systems to the outside world has sometimes been implemented through a network firewall. Firewalls selectively allow limited communication between the protected control networks (on the control network) and specific computers on a general business network.
Proper design and implementation of the network and firewall design reduces, but does not eliminate, the possibility of cyber-attack. If a computer outside the control network has been granted limited firewall access to communicate to a control or monitoring system on the control network, this outside computer may be used as the base for a cyber-attack on the control or monitoring system computer. While these attacks are more difficult to perform because of the firewall, they are not impossible.
Increasing emphasis is being placed on cyber security to protect against casual computer hackers as well as organized crime and agents employed by governments or intelligence agencies. Publicized and private security breaches occur on a regular basis. Best practices for cyber security are becoming increasingly stringent as cyber-attacks become more sophisticated. Requirements such as the Federal Energy Regulatory Commission's Critical Infrastructure Protection standards may prohibit the use of a routable network protocol to communicate between protected control networks. This eliminates the traditional use of standard computer communication networks and firewalls for communication between control or monitoring systems and computers attached to a general-purpose network.
Control and monitoring system data is still needed for general business purposes such as production planning and equipment health monitoring. This requires a different approach to data communication that accurately and safely transmits data from protected control networks to general-purpose computer systems without the risk of cyber-attack on the control systems.
Several industrial communication systems can be used to communicate data from a control system. These provide options to a traditional computer network that do not use a routable protocol. Examples include Modbus communication over a serial connection and control or fieldbus networks such as CAN (Controller Area Network) or Profibus. These industrial communication systems are all bi-directional. Data can be transmitted from the control systems to the general-purpose computers, and from the general-purpose computers to the control system. While the fact that some of these protocols are not routable reduces the risk of cyber-attack, it does not eliminate it. This is especially true if data is transmitted to the control system from the general-purpose computer.
For example, a power plant control system may receive a load demand signal (production output request) from the general-purpose computer. If an attacker can control the general-purpose computer, they may send a load demand signal of zero to the control system, effectively shutting down the power plant. Even if no data is transmitted from the general-purpose computer to the control system there is still a smaller risk of attack. Most industrial communication links require feedback from the receiving system for coordinating communication, reporting errors, and acknowledging that data has been received correctly. Improper or illegal messages sent over the communication link from the general-purpose computer may interfere with the proper operation of the control system in some cases. This is true even when the actual data is being transmitted in only one direction. These “Denial Of Service” attacks require more skill to conduct but are still possible for a dedicated attacker.
Currently, there is a need for a secure means of transmitting information from a secure network without the risk of unwanted entities gaining control of the secure network.